中断门与陷阱门在IDT表中,查看IDT表
kd> dq idtr L40h
8003f400 80538e00`0008f19c 80538e00`0008f314
8003f410 00008500`0058113e 8053ee00`0008f6e4
8003f420 8053ee00`0008f864 80538e00`0008f9c0
8003f430 80538e00`0008fb34 80548e00`0008019c
8003f440 00008500`00501198 80548e00`000805c0
8003f450 80548e00`000806e0 80548e00`00080820
8003f460 80548e00`00080a7c 80548e00`00080d60
8003f470 80548e00`00081450 80548e00`00081780
8003f480 80548e00`000818a0 80548e00`000819d8
8003f490 80548500`00a01780 80548e00`00081b40
8003f4a0 80548e00`00081780 80548e00`00081780
8003f4b0 80548e00`00081780 80548e00`00081780
8003f4c0 80548e00`00081780 80548e00`00081780
8003f4d0 80548e00`00081780 80548e00`00081780
8003f4e0 80548e00`00081780 80548e00`00081780
8003f4f0 80548e00`00081780 806d8e00`00082fd0
8003f500 00000000`00080000 00000000`00080000
8003f510 00000000`00080000 00000000`00080000
8003f520 00000000`00080000 00000000`00080000
8003f530 00000000`00080000 00000000`00080000
8003f540 00000000`00080000 00000000`00080000
8003f550 8053ee00`0008e9de 8053ee00`0008eae0
8003f560 8053ee00`0008ec80 8053ee00`0008f5c0
8003f570 8053ee00`0008e481 80548e00`00081780
8003f580 80538e00`0008db40 80538e00`0008db4a
8003f590 80538e00`0008db54 80538e00`0008db5e
8003f5a0 80538e00`0008db68 80538e00`0008db72
8003f5b0 80538e00`0008db7c 806d8e00`00082728
8003f5c0 80538e00`0008db90 80538e00`0008db9a
8003f5d0 80538e00`0008dba4 80538e00`0008dbae
8003f5e0 80538e00`0008dbb8 806d8e00`00083b70
8003f5f0 80538e00`0008dbcc 80538e00`0008dbd6
中断门基本结构与调用门相同,但Type为1110,陷阱门Type为1111
中断门提权实验
构造中断门为0040ee00`00081020
#include "stdafx.h"
//401020
unsigned __int32 X;
void __declspec(naked)Test(){
__asm{
mov eax,dword ptr ds:[0x8003f500]
mov X,eax
iretd
}
}
int main(int argc, char* argv[])
{
__asm{
int 0x20
}
printf("%x",X);
getchar();
return 0;
}
陷阱门与中断门几乎一致,区别在于中断门执行时会将IF位清零,陷阱门不会